GDPR...Implications on Research

[AnEmployee22]

Hi, I am new.

Essentially, I am a researcher in a commercial sense- as opposed to academia or other fields, and I have a few worries. I think it should be okay but this seems the ideal place to discuss it IMO.I'm far from an expert, so please forgive if my questions seem somewhat naive when set against this forum.

• Research...Would I as an employee be the Data Controller, or the Data Processor?
• In the event there is a problem- let's say it the data is gained without phoning an opt-in through searching e.g. LinkedIn or similar, would my company be on the hook??
• Moreover, as the employee- would I be on the hook for a fine? By which I mean the authorities themselves fine me, or the company themselves pass it onto me somehow or even take legal action against me- in what would be the definition of futilitiy, given the fines GDPR seems to throw up- in order to recover the money they paid out?

When I say this stuff about on the hook, passing on etc- I'm not including maliciousness or malignance, I'm considering genuine GDPR errors by employees.

Really keen on knowing this, and I think certainly a useful thread.

 

[fluffybunny]

You would be neither, the company, and the DPO would be responsible.
Yes the company would be "on the hook".
and may i say if your going through linkedin looking for email addresses it whiffs of unsolicited marketing/evasion not research.
They may not be able to recover the company losses due to fine from you, but you will certainly be sacked for misconduct, and alot of other related things.

 

[AnEmployee22]

Thank you for the response.

Wow, that's slightly worrying- unsolicited marketing/evasion?? Erm...Misconduct? I've never been admonished for my work so I couldn't comment on rules or otherwise because well- yeah I'd get the sack for misconduct but wow- unsolicited marketing. That sounds worrying! Evasion of??

 

[fisicx]

Unless you have permission from the person you can't send them a marketing email. That's the new rules.

You can send them a PM asking if you can contact them directly but you can't just grab their email address and market your services. If you and the person complains then the company can be fined.

 

[AnEmployee22]

Thanks.

I'm not Marketing as such, so I don't want to post about matters I'm not too qualified on but I guess it's just worrying on my part.

 

[fisicx]

I'm not Marketing as such.

Marketing covers a huge range of things. If you are sending joe.bloggs at something.com an email from mail at yourcompany.com without consent then you could be in breach of the legislation.

You might just about be OK if you send then a 'I would like to contact you about...' and add an unsubscribe link in the body of the email. But even then you are on dodgy ground if the recipient complains.

Best not to send anything at all.

 

[AnEmployee22]

@fisicx

Thank you, that's very useful.

 

[fluffybunny]

My post wasnt intended to scare you, but to point out the fines are very steep for non-compliance. I own a business, and if an employee breached the GDPR the way you described i would sack them for it(breach of the GDPR being gross misconduct),instigate more training(everyone is crystal clear in my company) and pray it saved me from a massive fine. I am fairly sure examples will be made of big business indeed several well known companies have already been told they are in breach.
As far as i know "I'm not Marketing as such" translates as i am marketing but dont want it to appear that way.
The safest way to proceed is to honestly read the directive,run the checklists, and ask yourself whats in the best interest of the client/customer.

 

[fluffybunny]

I thought it may help to describe some of the measures taken. We deal in IT security, and if nothing else a breach of the GDPR would make us a laughing stock.
Backups are conducted by a dedicated backup officer,who gets the key from the DPO to conduct the encrypted backup. The key is returned to the DPO immediately, no excuses and stored securely.
The website, emails etc have been extensively altered.
Our databases have been modified, staff training extensively undertaken.
Our computer systems have been by and large unaffected as we maintain extreme awareness over security breaches. We use a dedicated security officer to monitor firewalls, and other security systems.
The best part is we invite customers/clients to inspect our processes per GDPR requirements, and usually they say "wow you really take our data seriously". It gains us more business

 

[ffox]

In the event there is a problem- let's say it the data is gained without phoning an opt-in through searching e.g. LinkedIn or similar, would my company be on the hook??

What are your company's rule regarding the methods used to collect data?

If the company has specifically requested you to collect data from sources, such as LinkedIn, then the company is responsible and not you.
If the company expects you to use you own initiative to get data, have they laid down and communicated to you the corporate data policies? Does the company have specific data policies?

You need to clarify with the employer where your responsibilities lie.

 

[AnEmployee22]

Thanks for the responses all.

I should probably seek more guidance on these matters with the imminent arrival of GDPR. I trust my employer to get it right, as, well, they have no real viable other option do they??

 

[Simon Plummer]

Reading some of the replies I expect you are panicking!

If you are using information already in the public domain this is a different ball game and different more 'relaxed' rules will apply - more so, the focus is on how you process, manage and store the data.

There are 6 'lawful basis for processing', the big one everyone talks about is consent. I tend to focus on 'legitimate interest' given it is nowhere near as restrictive. Only one is required.

Your company (as part of their GDPR project should be identifying all information flows as part of their processes. In there would be data gaterhing for research etc. They should conduct a data privacy impact assessment which whil highlight all risks, specify retention requirements, lawful basis for processing etc etc - this then becomes the 'playbook' for that activity.

You obviously want to review the PECR regs too. make sure you have opt out capability on all comms etc.

 

[AnEmployee22]

Reading some of the replies I expect you are panicking!

If you are using information already in the public domain this is a different ball game and different more 'relaxed' rules will apply - more so, the focus is on how you process, manage and store the data.

There are 6 'lawful basis for processing', the big one everyone talks about is consent. I tend to focus on 'legitimate interest' given it is nowhere near as restrictive. Only one is required.

Your company (as part of their GDPR project should be identifying all information flows as part of their processes. In there would be data gaterhing for research etc. They should conduct a data privacy impact assessment which whil highlight all risks, specify retention requirements, lawful basis for processing etc etc - this then becomes the 'playbook' for that activity.

You obviously want to review the PECR regs too. make sure you have opt out capability on all comms etc.

Thanks Simon.

I can now quote better, properly now I am not on my phone aha. Public domain? Happy days, if it's all in there then I can relax a bit, or at least worry a bit less. Personally speaking, I only tend to get it from the public domain- I'll look into it in the coming weeks no doubt- gotta be GDPR compliant and I'm sure the company will get it right.

You're quite right, I hope the company for GDPR will have all of that covered, information flows- research, that sort of thing. As long as it's public domain available, and safely held, stored etc- it sounds alright...

 

[fluffybunny]

I'm sorry Simon but thats wrong. In the case my email address is on linkedin, it doesnt allow for it to be scraped, and to be emailed unless its been stated i am happy as an example. See below requirement 1 is easy to meet, but requirement 2 "legitimate interest" falls foul of my desire not to be marketed to"...
The point i'm stressing is that some companies seem to believe that "legitimate interests" ie their own and business-as-usual is a magical get-out clause, usually a view espoused by marketeers like the DMA. This "advice" is grossly misleading and people should be warned to avoid it.

Quoting from the ICO:-

"Personal data available in the public domain is still personal data and Data Protection still applies to it" from the ICO.

and

The first requirement is that you must need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it.

The second requirement, once the first has been established, is that these interests must be balanced against the interests of the individual(s) concerned. The “legitimate interests” condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Your legitimate interests do not need to be in harmony with those of the individual for the condition to be met. However, where there is a serious mismatch between competing interests, the individual’s legitimate interests will come first.

Finally, the processing of information under the legitimate interests condition must be fair and lawful and must comply with all the data protection principles.

 

[nelioneil]

But what is "personal data" in the public domain?

Would a business email address listed online (on their own website or another) with the domain name belonging to that business, be classed as personal data?

 

[ffox]

But what is "personal data" in the public domain?

Would a business email address listed online (on their own website or another) with the domain name belonging to that business, be classed as personal data?

Yes.

GDPR definition is -

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

 

[AnEmployee22]

Hmm...

Reading these, though the company has never hauled me over the coals about my quality or quantity of work, this element of it worries me a bit...

 

[fluffybunny]

Thatd be because most companies dont intend to comply to the very last minute ie 25th May.
The legislation has been active for 2 years so companies have had plenty of notice. It just hasnt been enforced yet and thats coming very soon. Its odd how companies only seem to do things when its enforced, and only after trying to find opt-out clauses, which says much about their regard for personal data.
We enacted our policy and gap analysis over a year ago, and so for us this is all old news.
It isnt quite utopia but it goes a long way to blocking up the data leakage from companies, i.e that work data you take home and leave on the back seat of the car, ex-employees walking out the door with your customer list, the end of free-for-all spam marketing.
Instead we will have secure data, transferred in a responsible manner, to known and listed 3rd parties. Processes will be accountable and documented. Marketing will be better targeted. When you start to look at the positives theres a world of opportunity there.

 

[Ross__]

Quoting from the ICO:-

"Personal data available in the public domain is still personal data and Data Protection still applies to it" from the ICO.

Sorry to bother you but I've been pasting this quote and variations of it into Google and the ICO website itself for half an hour and still not found the source. Do you still have the link to this quote, or was it spoken word?

Thanks

Ross

 

[fluffybunny]

Search ICO for presentation-opening-the-box-fundraising-and-regulatory-compliance.pdf
Im not allowed to post a link.
Page 6 Already covered under the DPA 1998

 

[ffox]

Search ICO for presentation-opening-the-box-fundraising

Great link. Not the same document, but perhaps even more indicative of the ICO view -
https://ico.org.uk/media/about-the-ico/documents/2013426/fundraising-conference-2017-paper.pdf

The docs are essentially referring to processing related to fund raising, but they focus ICO views of DPA regulation related to use of personal data in the public domain.

"Also, you shouldn’t assume that simply because an individual has put personal information into the public domain, they’re agreeing to it being used for any purpose. For example, individuals may want as many people as possible to read their tweet or Facebook post. Yet that doesn’t mean they’re agreeing to have those pieces of information collected and analysed to set (say) their insurance premium or their credit risk. The fact that personal information is publicly available doesn’t make it ‘fair game’. And it doesn’t make further use of that personal information for any purpose fair. "

The same ICO view will apply to B2B personal information.